1

A user is added to 2 different groups. 1 group is provided author access and another group is provided with editor access. First group has user role 'A' and second group has user role ' A,B'. What is the access and role the user would have?

Ashwin Fernandes
  • 27
  • 6

2 Answers2

2

The user would have the highest access level of all groups (in this case editor access) and all roles assigned to groups (in this case A and B) in database's ACL.

There is only one exception: if the user is listed with his own name in ACL then only these rights the user would have, no matter which listed groups he's member of.

Knut Herrmann
  • 30,880
  • 4
  • 31
  • 67
  • I have another question. Can a user with author access, make changes to a document from an agent or say, a subroutine in another document. – Ashwin Fernandes May 20 '13 at 15:41
  • 1
    If the agent runs under the user's identity, and the user has author access, then the answer is that the agent can only make changes to documents in which the user's name (or group, or role) is listed in an AuthorNames field. If, however, the agent runs under a different identity (e.g., the agent signer's identity), and that identity has Editor rights or higher, then that agent would be able to update any document. For this reason, you should be very careful about exposing the ability to run agents that run under an identity other than the actual user's. – Richard Schwartz May 20 '13 at 16:25
  • Perfect answer from Richard to your additional question. Same for subroutines. Author access is checked for every single document you want to edit no matter from where you're trying it. – Knut Herrmann May 20 '13 at 20:10
1

The access levels are combined. However, Deny access takes precedence over Allow access.

See the docs for more info: http://www-12.lotus.com/ldd/doc/domino_notes/7.0/help7_admin.nsf/b3266a3c17f9bb7085256b870069c0a9/52f8492cea3792698525706f0065c44b?OpenDocument

Also, as the doc states it is helpful to use the Effective access feature within the ACL dialog to see exactly what the user access is.

Ken Pespisa
  • 21,989
  • 3
  • 55
  • 63
  • That link refers to Extended ACL settings, which only applies to the names.nsf. A rule of thumb on that is it will only ever give you less access never more. For everything else it should be highest access level wins (unless explicitly referenced in the ACL). – Simon O'Doherty May 20 '13 at 15:58